Database Security
Database Security is integral to the design and function of a database. There are three important pieces to database security; Physical, User, and Network. These pieces work in conjunction with policies, standards, and procedures. Policies are directions that support a goal. Standards describe the minimum that must be done on a goal. Performance and tasks can also be scored to a standard to verify how well they meet the standard. Procedures are detailed instructions that describe a process step by step. Physical Physical security is involved with the hardening of the physical structure of where a database is housed. Most databases are stored on special servers strictly for the database. Databases should be located in centrally in a building to a specific locked room. Only the Information Technology (IT) and Database Administration (DBA) staff should have physical access to this room. The walls to this room should be solid and rise completely up to the next level so that false ceiling access can be eliminated. Policies, standards, and procedures should also be implemented here. A policy could be that the database room is to be locked at all times. A standard could be that a security officer checks the room every hour. Finally, a procedure could be how to install the correct type of lock for a database room User User access to the database should be limited to what the user needs from the database. For example, logistics would not need access to accounting’s records. User access should also be controlled at the operating system level so that unwanted users cannot log on to a system and then gain access to the database. There are a variety of ways to verify identity and access to a database such as passwords, biometrics http://www.precisebiometrics.com/, and keys. Social engineering http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci531120,00.html is the art of tricking someone in to giving you information to access a system. By leaving user names and passwords out it can be quite easy for someone to pretend to be someone else. A policy to implement could be that all users are required to have a password. A standard could be that passwords should be alphanumeric http://www.webopedia.com/TERM/A/alphanumeric.html. And a procedure could out line examples of alphanumeric passwords. Network Access to a database through the web is becoming commonplace. Securing the internal network and external network is a priority. The company information technology department is responsible for providing a secure and reliable network experience. Username and passwords are essential for gaining access to the network. Intrusion Detection Systems (IDS) http://www.sans.org/resources/idfaq/what_is_id.php should be in place to monitor any suspicious activity. A policy for network security could require that all network users have a login ID and password. A standard could be that Kerberos http://web.mit.edu/kerberos/www/ be used on the network. A procedure could outline how to add users to the system. Database Vulnerabilities Database Vulnerabilities • Server Security • Database Connections • Table Access Control • Restricting Database Access Server Security Server security is the process of limiting actual access to the database server itself. This aspect might be the most important angle of security, and should be carefully planned. • You can't access what you can't see. • This is not a web server. There should be no such thing as an anonymous connection. • Your database back end should never be on the same machine as your web server, not just for security, but for performance. • If your database server is supplying information to a web server then it should be configure to allow connections only from that web server. Trusted IP addresses Every server, should be configured to only allow trusted IP addresses. You should know exactly who should be allowed to interact with your database server. Also, it is a poor decision to hosting your web databases on the same server that houses internal database information. Why would you have internal information out in the DMZ, its not called the DMZ for nothing. Database Connections If you are going to allow users to make updates to a database via a web page, ensure that you validate all updates to ensure that all updates are warranted and safe. For example ensure that you are removing any possible SQL code from a user supplied input. If a normal user should never be inputting it don't allow the data to ever be submitted. Table Access Control Table access control is commonly overlooked in database security because of the difficult in applying it. Correctly using Table access control will require the collaboration of both system administrator and database developer. Restricting Database Access Specifics of server security: • Most cyber criminals are going to do a simple "port scan" to look for ports that are open that popular database systems use by default. o You can change the ports a service listens on, which is a ggood way to throw off a criminal. • The criminal now knows there is a system answering at this address. First thing to prevent this is to disable any ICMP packets. o This will prevent ping requests from being replied to. There are many ways to prevent open access from the Internet and each database system has it's own set of unique features as well as each OS. So I am merely going to touch on a few methods. • Trusted IP addresses - UNIX servers are configured to answer only pings from a list of trusted hosts. In UNIX, this is accomplished by configuring the rhosts file, which restricts server access to a list of specific users. • Server account disabling- If you suspend the server ID after three password attempts, attackers are thwarted. Without user ID suspension, an attacker can run a program that generates millions of passwords until it guesses the user ID and password combination. • Special tools -Products such as RealSecure by ISS send an alert when an external server is attempting to breach your system's security. Oracle has a wealth of authentication methods: • Kerberos security- This popular "ticket"-based authentication system sidesteps several security risks. • Virtual private databases- VPD technology can restrict access to selected rows of tables. • Role-based security- Object privileges can be grouped into roles, which can then be assigned to specific users. • Grant-execute security- Execution privileges on procedures can be tightly coupled to users. When a user executes the procedures, they gain database access, but only within the scope of the procedure. • Authentication servers-Secure authentication servers provide positive identification for external users. • Port access security - All Oracle applications are directed to listen at a specific port number on the server. Like any standard HTTP server, the Oracle Web Listener can be configured to restrict access. References • Wiedman, Blake, http://www.governmentsecurity.org/articles/DatabaseSecurityCommon-sensePrinciples.php